Cyber Resilience

CVE-2026-33804

High

Published: 16 April 2026

Published
16 April 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0028 19.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33804 is a high-severity Interpretation Conflict (CWE-436) vulnerability in Fastify Fastify\/Middie. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-33804 is a middleware bypass vulnerability in @fastify/middie versions 9.3.1 and earlier. It occurs when the deprecated Fastify ignoreDuplicateSlashes option is enabled, as the middleware's path matching logic does not account for duplicate slash normalization performed by Fastify's router. Requests containing duplicate slashes in the path can thus evade authentication and authorization checks enforced by middleware.

Attackers with network access and no required privileges can exploit this issue by sending specially crafted HTTP requests with duplicate slashes. The attack requires high complexity, likely due to the need to identify specific paths protected by middleware. Exploitation enables high confidentiality and integrity impacts, allowing unauthorized access to sensitive data or modifications to protected resources, with no availability impact.

Advisories recommend upgrading to @fastify/middie 9.3.2 to address the vulnerability. No workarounds exist other than disabling the ignoreDuplicateSlashes option. Details are available in the OpenJSF CNA advisories and the GitHub security advisory GHSA-v9ww-2j6r-98q6.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

@fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic does not account for duplicate slash normalization performed by Fastify's router, allowing requests with duplicate slashes to…

more

bypass middleware authentication and authorization checks. This only affects applications using the deprecated ignoreDuplicateSlashes option. Upgrade to @fastify/middie 9.3.2 to fix this issue. There are no workarounds other than disabling the ignoreDuplicateSlashes option.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The middleware bypass via duplicate slashes in HTTP paths directly enables exploitation of a public-facing web application to evade auth/authz checks and gain unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6270Same product: Fastify Fastify\/Middie
CVE-2026-2880Same product: Fastify Fastify\/Middie
CVE-2026-22031Same product: Fastify Fastify\/Middie
CVE-2026-33808Same vendor: Fastify
CVE-2026-33807Same vendor: Fastify
CVE-2026-25223Same vendor: Fastify
CVE-2026-33806Same vendor: Fastify
CVE-2026-42551Shared CWE-436
CVE-2026-41248Shared CWE-436
CVE-2026-27444Shared CWE-436

Affected Assets

fastify
fastify\/middie
≤ 9.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the specific flaw in @fastify/middie that enables middleware bypass via duplicate slashes.

prevent

Mandates enforcement of approved authorizations for all request paths, preventing bypass of middleware authentication and authorization checks due to path normalization discrepancies.

prevent

Establishes secure configuration settings that disable the deprecated ignoreDuplicateSlashes option, serving as the recommended workaround to mitigate the vulnerability.

References